Flash Cookie Researchers Spark Quantcast Change

Ghosts respawn in Ms. Pacman even after a player kills them, not unlike what happens when sites reinstate tracking cookies after users delete them. Online tracking company Quantcast says it stopped this practice after a critical report Monday.

UC Berkeley researchers who exposed how the net’s top sites use a little-known feature of Flash to track users can proudly notch their belts: Quantcast, one of the largest online tracking and traffic-measuring companies, has stopped using so-called Flash cookies to rebuild cookies that users intentionally deleted.

The researchers, led by grad student Ashkan Soltani, found that Quantcast was one of several companies who used Flash cookies on the net’s most popular websites to re-spawn traditional browser cookies after users had deleted them. According to their findings released on Monday, the undead cookies created by Quantcast were discovered on Hulu.com, the popular online video site, which uses Quantcast to measure its traffic.

“Research in action!” exclaimed Soltani, a graduate student in information sciences who conducted the study this summer with three undergraduates.

They found that 54 of the top 100 sites use Flash cookies for a variety of purposes, from setting default volume levels on video players to assigning a unique ID to users that tracks them no matter what browser they use. (Disclosure: Wired.com set one on this writer’s computer to set video preferences.)

Soltani tempered his excitement, however, by showing that the problem of undead cookies was still happening on Hulu.com, despite Quantcast’s changes. That, he said, showed that there was much left for the industry, if not the government to do.

Adobe’s Flash player is a multimedia browser plug-in that is almost ubiquitous on the net and it lets websites store data about users in special folders on their hard drives. Deleting cookies or erasing one’s history does not clear Flash’s cookies, which are controlled by visiting a special Adobe web page.

QuantCast was using the same user ID in its HTML and Flash cookies, and when a user got rid of the former, Quantcast would reach into the Flash storage bin, retrieve the user’s old number and re-apply it so the customer’s browsing history around the net would not be cut off.

Not so on Wednesday.

“Quantcast no longer restores deleted cookies using values stored in Flash,” Cubeta said, describing the behavior as an “unintended effect” of trying to have better web-traffic measurement.

Quantcast is used by thousands of sites to measure the number of unique visitors and to get information on the kinds of people visiting their site — athletic, older, interested in food, etc. The company added that its Flash cookies are not used in its targeted ads, which users can opt out of at the Networked Advertising Initiative opt-out page.

The news of the re-spawning cookies and widespread use of Flash cookies comes as Congress and federal regulators are looking closely at the widespread practice of collecting information on web users across multiple websites in order to later serve them targeted ads, a practice known as behavioral advertising.

Ad networks have long promised to police themselves, but research has shown those promises have largely been empty and unenforceable.

Soltani confirmed Quantcast’s change in how it handled Flash on the Hulu.com site, calling it a “great” change.

But he found that if users simply deleted cookies without clearing the browser cache, the identifiers in the deleted browser cookies still returned to cookies from Hulu.com and Quantcast — likely using information stored in the cache.

“I applaud them for taking steps so quickly to resolve this, but I think it takes broader foresight (or perhaps even oversight) to really match consumer expectations with actual practices,” Soltani said.

QuantCast said it would look into Soltani’s further findings and asked for his contact information.

For its part, Adobe says it’s really not that hard to manage Flash cookies via its website, and that, as a browser plug-in, there’s no way currently for Flash to integrate with the cookie controls built into browsers.

But they are working to change that, according to Brad Arkin, who is in charge of security and privacy at Adobe.

“Adobe has begun collaborating with some of the browser vendors to expose the relevant APIs,” Arkin said in a statement. “The goal is to simplify the process of allowing users to make their privacy choices in one place and be assured that these choices will be honored in the Flash Player.”

Tools:

Users who want to control or investigate Flash cookies have several options, according to reader Brian Carpenter:

Here’s The Thing With Ad Blockers

We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.